BSOD, Crash Dump, and Minidump Analysis

Staff MemberPremium Supporter

In this video, I bring you into the world of the elusive Blue Screen of Death, and the forensic level of study required to analyze such crashes. At Windows 7 Forums, we have an entire team of BSOD experts, many of whom are prolific, ingenious members that know their stuff. Although I am 7x certified by Microsoft and CompTIA, even I still find the process of analyzing minidumps to be elusive, difficult, and annoying. However, in this video we go through a few options: Looking at the extent of BSOD and the impact it has all over the world, Checking out how the Windows SDK can be used to analyze Minidumps, locating a minidump that is generated after Windows crashes, converting crash hexadecimal timestamps into regular dates and times, and showing how to post your Minidump to Windows7Forums.com for help after the crash takes place. Although this video is not a perfect analysis of how minidumps are debugged, it does give a first look level of insight into the knowledge it, and how you can seek help at Windows7Forums.com from prolific experts. In the end, go to the experts, many of whom will help you free of charge.

Excellent video, Mike. Very well made! I'd like to add some basic information that users interested in working with WinDbg would find useful.

One of the first things you'd want to do upon opening WinDbg for the first time after installation is to configure it. That means to set the symbol path correctly so that WinDbg will not complain about that while looking at the crashes. This will tell the debugger of the local location on your pc that you'd like to store the symbols and also where to download them if the specific version needed does not currently exist.

Symbols are in essence, the actual drivers. The two terms are synonymous.

So now in WinDBG without any crash dump opened, you can press Ctrl+S on the keyboard. Copy and paste this string to the symbol path field:

Code:

SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols

then press ok. With this specific example, it will save all the symbols (drivers) in a folder at C:\SymCache for future use. Once there, the version will not have to be downloaded again ever. The http part is the web server address where the debugger will download the symbols it needs, if not already in your local cache.

After hitting ok, you'd want to close and re-open WinDbg to open a crash dump now.

--------

Upon closing WinDbg, it will always ask you to "Save information for workspace?"

The correct answer to this would be yes so that the symbols are stored in the local cache.

--------

In order to make Windows automatically open the crash dump .dmp files with WinDbg when double clicked in Windows Explorer, we need to open an elevated command prompt. Then we need to change to the directory where WinDbg was installed to. To do this, one can enter chdir /d LOCATIONOFWINDBG.EXEHERE then press enter. An example would be chdir /d C:\Program Files\Debugging Tools for Windows (x86)\ if WinDbg was installed to the default location.

Then you can type (or copy/paste) this:

windbg.exe -IA

then press enter.

Now try and open any .dmp file using Windows Explorer, by clicking or double clicking on it.